Amazon Web Services provides a lot of features and functionality that enable you to secure and effectively ‘lock down’ your instances. This is extremely useful when you only want your data to be available to certain groups of people and is also very useful when you’re securing the backend database and application servers from public view. To achieve this level of security, Amazon Web Services offer a VPC (Virtual Private Cloud).
By using a VPC you gain complete control over your network, enabling you to define your own IP ranges, subnets* and routing tables**.
Within your VPC, you can create your own public orÂ private facing subnets. Private subnets are used for instances when you don’t want to be directly addressable from the internet. Essentially, instances within a private subnet route their traffic through a NAT (Network Address Translation) so that they don’t expose their IP to the internet. This is particularly useful when, for example, you have a website that is public facing, but want the backend databases to be private.
Further to subnetting, you can control access to your VPC via AWS security groups and network access control lists (ACL). This enables inbound and outbound packet filtering*** at the instance and subnet level.
You can also strictly control access between your web servers, application servers, database servers and S3 buckets, so that they are only accessible from instances within your VPC, further improving security and stopping unwanted access to your data.
*Subnetting a network lets you break it up into manageable chunks (perhaps one chunk per department). The purpose of this is to aid security, for example, machines on the general office subnet shouldn’t be able to access the machines within the payroll subnet. It’s a way to logically isolate certain areas of your network from certain groups of individuals.
As you can see below, each subnet is logically isolated from one another within the VPC. Members of subnet 1 are unable to view the contents of those machines in subnet 2. As mentioned above, this could be used when isolating payroll and HR data from all other employees.
**Routing tables are simply a set of rules that tell your data packets where to go.
***Packet filtering enables you to control what packets are allowed to pass the router. It can accept or drop packets based on a predefined set of rules.
This article was bought to you by Netshock. Netshock aim to provide technology guides and insight to our readers.